Firebase authentication emails are blocked by Office 365

Copper Contributor

Many of my customers are recently not getting any authentication emails from my apps anymore. The DKIM keys are setup, authorized senders and so on.

 

The authentication emails do go through to non-office365 emails.

 

Any hints on who to talk to?

15 Replies

hi@Kidd_Ip 

yes but I get the answer "We were unable to identify anything on our side that would prevent your mail from reaching Outlook.com customers."

I have tried sending to my own @outlook.com account, and it goes through. But none of the business customers get their authentication emails.

(I have a list of several problem domains all resolving to a *.mail.protection.outlook.com. mail exchange, but don't feel I can share the domain list on a public forum)

Hi @arnotixe,

 

I'll send you a private message with a test email address in a dev O365 tenant. So you can send there a message and I'll be able to trace it and see if something is blocking it.

Hi @arnotixe,

 

Thanks for sending me a test message.

It was Quarantined by O365 as High Spam/Phish.

FcoManigrasso_0-1677512855405.png

The problems that I see here are 2 main ones. On one hand the links are considered dangerous, ( but that probably can be easily solved fixing the other problem.

On the other hand, your sending server is blacklisted: mail-vs1-f70.google.com (209.85.217.70)

FcoManigrasso_1-1677513024119.png

So, basically you need to ensure to delist it or use another relay for such deliveries. DKIM passes, but the sender server has low reputation. 

Wondering who to contact next, as the server itself is probably sending out on behalf of many different identities.
This problem is currently affecting 74 of my business customers.

The way it looks now, setting up a different outbound server for these mails (serving only my domain for example) would be the only option?

Hi @arnotixe,

Not sure if I got your question. But you have many options...

- Ask the provider to delist.

- Use another relay

- Request the recipients IT teams to whitelist you, ( probably rejected by the Security teams. Think that they have no control over the sender servers... You neither. Too risky ).

And probably other options depending on your environment and requirements. 

The point is basically that O365 identifies your messages as SPAM/Phish and is quarantining all your messages.

yeah this is still a problem (exclusively for Microsoft customers) even after having purchased a Dedicated IP to send with…

Hi @arnotixe,

 

I just analyzed the new test message that you sent me and it passes the security scans and it's not identified as Bulk. The only problem is the SCL level, (5), and by default EOP will deliver those messages to the Junk email folder. ( Note that this can be modified by the Admins, so it's possible that in some cases it landes in the inbox folder and in other ones it will be quarantined ).

I'll share the message header with you in a private message. Finde here more information about the SCL value:

 

Spam confidence level - Office 365 | Microsoft Learn

Antispam stamps | Microsoft Learn

Anti-spam message headers - Office 365 | Microsoft Learn

 

@FcoManigrasso 

 

I have a brand new app, that is also using Firebase and I am experiencing exactly the same issue. The Firebase Authentication service has pre-configured templates that it sends for user email verification and similar interactions. The Authentication product sends these communications by default from Firebase's own email service.

 

This issue will affect any developer who uses Firebase (of which there are many) and uses Firebase authentication. Seems like this is a new issue though as these emails were all still working at the beginning of Feb.

 

Given that this is a universal problem experienced by many users of the Firebase Service, how can this be addressed at a large scale, rather than everybody trying to address this individually?

 

The delisting service also has no effect. I enter my sender email and IP (now have a dedicated one) into https://sender.office.com/, verify it by clicking the link I get (I don't block THEIR mails "ha ha") and then I get "Delisting was denied, click to escalate". After that I don't hear anything.

The problem is that these auth emails somehow get tagged as spam in ONE Microsoft customer, and then protection.outlook.com blocks them for all.

I'm starting to think a lawsuit may be the way to go

Hi @arnotixe & @StefDevs,

Unfortunatley there's no much more I can do here. 

I searched around and found other forums with similar issues:

 

Authentication emails for the firebaseapp.com domain are going to spam or are never received [253291...

 

Firebase Auth: How to connect a custom domain for email templates | by Azmi Rutkay Biyik | Medium

 

Firebase confirmation email : Firebase (reddit.com)

 

On the last test message received by @arnotixe I see all quite good, only a problem with the returnpath and that SCL score, ( 5 ). 

The sender was "robot & domainname.no" and the returnpath was "

bounces-201492346-robot=domainname.no & mailer.domainname.no"

EOP is very strict with spammers, so they pay a lot of attention at the returnpath and reputation of the senders servers.

 

Mark messages as safe ones will help for a single O365 organization, but that doesn't mean that the same messages will go thorugh the other ones. ( And if the messages are considered High confidence SPAM/Phish, that will not help ). In the case of @arnotixe I think he's quite close to a solution, as all the other headers and scans are clean. In your case, @StefDevs I don't know without analyze a message header, but I'm quite sure that the issue will be the same, ( server/IP reputation, domainname, returnpath... ).

My suggestion will be to refer to the Firebase community and the fixes mentioned there. 

Microsoft Defender/EOP adapts the detection engine as per admins feedbacks, but if something seems suspicious, the security of the O365 customers environments will always be the priority, and only tenants admins will be able to "adapt" it to each own environment.

 

Sorry that I have not better news...

Just want to thank FcoManigrasso here too, he's been very helpful in finding out what the problem is! Post your donation link here, FcoManigrasso!

Basically, for existing customers we have to tell their IT departments to whitelist our sender. We'll add a notice to the login page about this. This is also the Microsoft way of doing it, according to this link: https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/services-for-non-custom...

In short, customers must whitelist our senders or open a ticket with Microsoft support about it.

The only thing not solveable by this approach is the case of new companies. This adds a LOT of friction to the signup process. Basically it is blocking it altogether.

I tried the https://sender.office.com/ to delist it, but it said it sent a confirmation email to the email that I was trying to delist. This is an email provided by Firebase with literally the "noreply" at the beginning. Obviously, I can't access it. Any other suggestions? It seems like you are basically just saying, nothing we can do, we have big dumb spam filters that suck at precision and there is nothing we are going to do about it.

This is kinda bullshit to be honest. I get that some people use these services to spam, but with the tech available today to sort out who is using it for spam and who is using it for legitimate purposes, this is a big FAIL for Microsoft. Probably still using regression for spam filters.

 

Ironically, I was just looking into whether I should use Outlook or Gmail for my company's emails.  I do not have problems with blocking from Gmail from any other service, whether it is a Google service or otherwise.  This sealed the deal to use Gmail, thanks for making the decision easier!

@kbourne650yeah, I'm tempted to actually buy one of those Whitelisting services Microsoft themselves offer… It is a stretch at about $1500 a year though o_O

As an alternative I'm currently adding SMS login, bypassing the problem to an extent

 

SSO is another option, but setting it up is pretty heavy, and if you want Auth0 to take the app integration for you, a quote there was $30 000 a year (--PER MICROSOFT TENANT!!). As I have about 70 Microsoft customers, that is, well, out of the question.

 

I've also tried registering at https://sendersupport.olc.protection.outlook.com/snds/pref.aspx but the confirmation mail never reaches me (and no, I don't block their emails, and the email address I choose for notification IS working). Also I don't know if that page has anything to do with this issue.

 

Only thing that makes me feel a little bad about paying up for "email deliverability to Microsoft" is that it is basically a kind of hostage situation. We need to send mail there, but have to pay $1500 a year for them to take it? Hmmmmmmmmm

 

If you find any better pointers, PLEASE let me know :D I'll do the same